Sunday, March 4, 2018

The first part of our Life After Law Enforcement series talked
about the decision to leave. In this installment, I’ll compare and contrast
life in the consulting world versus the corporate world. Before I do that,
however, it’s important to discuss a couple concepts that drive the differences
between life in the public sector and the private sector.

One of the biggest differences is there is virtually no
unionization in the private digital forensics world. At least here in the
United States, most law enforcement jobs are going to be unionized civil
service positions.This means that the
relationship between the government entity and the employee is doing to be
defined by a collective bargaining agreement. Even if an officer isn’t covered
under a collective bargaining agreement, they’re almost certainly going to be
under some sort of civil service type protection.

This means that there is much more job security compared to the
private world in that you can be thoroughly mediocre, but unless you are really
screwing up in a well-documented way, you get to keep your job. It also means
that your compensation is largely just a function of how long you’ve managed to
stick around rather than how much value you add to the organization.

Not so much in the private sector, where your job security and
compensation will be primarily a function of the value that you provide your
employer rather than how long you’ve managed to go without egregiously screwing
up.You’ll certainly see your fair share
of mediocre people in the private sector, but they tend to have stagnant career
paths and they’re the first people out the door when a re-organization comes or
revenues are down. Since collective bargaining and civil service generally aren’t
in play in the private digital forensics world, your relationship with your
employer is going to be individual rather than collective and revolves around
the value you provide.

This is very good news for people who are motivated and want to
excel. One of the reasons I left law enforcement early in my career is that I
recognized that no matter how good I was at my job, my career path and
compensation would largely be a function of time rather than talent.This is very bad news for someone who just wants
to do the minimum and punch a clock.

Another important difference is that many private sector digital
forensics jobs will put you in the position where you are a necessary evil to
the organization rather than someone driving the primary mission of the
organization.Law enforcement agencies
are put upon this earth to put bad people behind bars.Whether it’s a police officer in patrol car arresting
baddies or a digital forensics detective putting some evil wretch in prison
until shortly after mammals are extinct because of something they did to some
child, police officers are primary people advancing the goal of that
agency.

In the private sector, unless you are in a consulting type
position, digital forensics people are a necessary evil to an organization and
are the dreaded
indirect spend. Direct spend is spending that is aligned with delivering a
product or service to a customer. Indirect spend is everything else. Spending money to create and staff a
manufacturing line to build cars that are then sold to customers is direct
spend. Spending money on information security people to keep that manufacturing
line from getting hacked and stopped is indirect spend.Indirect spend is important to an
organization, but it’s a big fat juicy target for cutting costs and increasing
profits. The closer you are to impacting the profit and loss of an
organization, the more important you are. The more important you are to an
organization, the more you will be paid, the better your promotion chances, and
the better your job security.

There are some similarities in that large bureaucracies whether
they are public or private tend to follow the late Jerry Pournelle’s Iron Law
of Bureaucracy more often than anyone would like to admit. I’ll just quote
directly from the Jerry Pournelle website when
it comes to explaining this:

Pournelle's Iron Law of Bureaucracy states that in any
bureaucratic organization there will be two kinds of people":

First, there will be those who are devoted to
the goals of the organization. Examples are dedicated classroom teachers in an
educational bureaucracy, many of the engineers and launch technicians and
scientists at NASA, even some agricultural scientists and advisors in the
former Soviet Union collective farming administration.

Secondly, there will be those dedicated to the
organization itself. Examples are many of the administrators in the education
system, many professors of education, many teachers union officials, much of
the NASA headquarters staff, etc.

The Iron Law states that in every case the second
group will gain and keep control of the organization. It will write the rules,
and control promotions within the organization.

The good news is that this isn’t as universal as the name Iron Law
would imply.I’ve worked for
organizations where the first group of people ran the show and the health,
effectiveness, and morale of the organization reflected that. The organization
I work for right now is one where the Iron Law doesn’t even remotely apply, but
I’ve gotten to know the Iron Law of Bureaucracy all
too well during various periods of my career.

Let’s add another common element in private sector life into all
of this and that’s organizational change.I’ve long since lost track of how many reorganizations I’ve lived
through in the private sector, but it’s a constant part of life in large
private organizations.About the time
you get comfortable with an organizational structure, someone will come along
and blow it up.Change is such a
constant in the private sector that top business schools like can demand
wheelbarrows of cash offering training
in organizational change management.

One of the primary drivers of organizational change are changing
business conditions.Markets are dynamic
so organizations have to adjust their products, services, and how they operate
to adjust to changing market conditions.As organizations change, the security portion of the organizations have
to change to continue to securely enable business operations.Security leaders who can’t manage change and
keep up with the business leaders don’t last very long.And when they get whacked you can expect
another reorganization.

This brings up another potential driver of organizational change
and that’s the Ides of
March.Politics are part of any
organization whether they are public or private, but in the private sector, the
stakes can be very high because of the amount of money involved especially if
an organization is highly profitable.There is quite a bit of careerism in the private world.I define a careerist as someone who puts
their own career goals ahead of the needs of the organization or their people.
They’re an odious fact of life in the private sector.They exist in the public sector, but union
rules and civil service protections blunt the impact that they can have on
individuals in an organization.

Executive political life can be pretty…staby in the private
sector, but the rewards can be great especially when you factor in that
successful security executives in large organizations can make over a million
dollars a year in compensation. In many cases, you will have reorganizations
that have no real functional purpose, but have everything to do with palace
intrigue and who got knifed
on some senate steps.

So why am I telling you this? Because with change comes both peril
and opportunity. If you play your cards right in knowing how to obtain and
retain power in organizations, there could be new opportunities during a
reorganization to advance your career as new teams are created, new positions are
created, or even more money floating around for things like training or tuition
assistance.In security organizations,
one of the best times for funding can be after a major breach when the senior
executives (and they may be the new ones that just replaced the now fired ones)
are scared straight and start throwing immense amounts of money at the security
organization.

Power in organizations translates not only to career progression
and increased rewards, but also to survival. While you certainly can gain power
by moving up the organizational ladder and increasing your influence and
responsibilities, you can also gain power by the value you add to an
organization through your individual abilities.Some of the most powerful people in a security organization are the individual
contributors who have skills that are mission critical and hard to replace.

The more value you add to an organization, the more power you have
to influence things around you, the greater your rewards, and the less you have
to worry about job security. The less valuable you are to an organization, the
less power that you have which harms your ability to change things around you,
your compensation, and your job security.The less value you add to an organization, the greater your risk during
one of the inevitable reorganizations or if your organization hits hard
economic times.It’s not the highly
skilled individual contributors who are going to be marked for termination when
costs have to be cut in an organization or the inevitable next reorganization
comes along.

Let’s talk about two broad categories of private sector jobs.The first I’ll talk about is the consulting
world and then I’ll address corporate life.I’m not going to directly talk about non-profit type organizations like
where I work now because depending on how they are structured they can
essentially act as a government organization or they can feel more like
consulting or corporate. It depends on how their mission, funding, and
management.

Let’s start with consulting.Consulting can be an immensely rewarding experience that can greatly
increases your knowledge, job satisfaction, and value or be a joyless
dystopian hellscape where the living envy the dead not.I’ve seen a couple golden eras of consulting
during my time in the industry.The
first was the eDiscovery golden age that started roughly near the year 2000 and
ended, the best I can tell, about the time of the financial crisis.During this time, eDiscovery consulting
organizations where shaking down corporations and law firms for confiscatory
prices for providing eDiscovery services.There were countless eDiscovery consulting firms spread across the land
and they were desperate for consultants who they could put into the field and
their labs so that they could crank out as many billable hours as they could
get away with. Life as a consultant
during this time involved burning an immense number of hours traveling and
collecting mountains of data.The data
was then brought back to some lab somewhere and either the same consultants or
different consultants then processed and hosted the data for attorney
review.Since the primary billing model
was consultant hours, consultants were basically just another commodity to be
used up.I saw a lot of burn out during
this era and more than a few very unhappy police officers enter this space
thinking they were going to be doing interesting digital forensics analytical
work and catching bad guys when all they were doing was just endless grunt work
slinging data around from one place to another.If you were an eDisco manager during this era, your life was constant
pressure to make sales goals, making sure your facelesscommodities
consultants were being fully utilized for billing purposes, and plenty of stuff
that had nothing to do with chasing bad guys and solving digital forensics
mysteries.

The golden age of eDiscovery went bust because the industry
overplayed its hand and their customers starting to bring those services inside
of their organizations. The result was quite a few of these consulting firms
going out of business or being purchased by larger consulting firms that were
better diversified and positioned to survive the bust. I also think the legal
system generally just responded negatively to the high costs and how things
were being done. Cost containment started to be a big deal in the legal world since
even in an adversarial legal system everyone could see that the consultants
were saddling up their customers and taking them for a very expensive
ride.

Another thing that really hurt the eDiscovery industry was the
rise of the golden age of cyber security consulting that continues to this
day.The eDisco consulting industry
faced increasing pressure from the cyber security consulting world for talent
and customer money.This golden area of
cyber security consulting has been partially a response to the near
impossibility of defending networks from persistent skilled attackers.There have been legions of high-profile
breaches and the rise of public disclosure laws has meant that many of these
incidents end up in headlines that result in great financial loss,
embarrassment, and senior executive careers coming to an end.This has provided powerful incentive for organizations
to greatly increase their cyber security capabilities which lead to an immense
amount of money being thrown at cyber security consulting firms.

This golden age is meat on the table of enterprising and skilled
law enforcement officers who are looking for their second career.There are countless consulting firms who are
looking for talented people to come help them serve their customers both by
offering proactive services such as penetration testing and threat intelligence
and reactive services such as helping them detect, respond, and remediate
incidents. Some of these firms are going
to be nightmares to work for where your life will be similar to what I
described above, but many others have learned that retaining critical talent
requires providing a reasonable work-life balance, rewarding work, and a career
path.

This gets back into the point I made earlier about the more power
you have in an organization, the more you can influence you have about the
world around you.One of the things I
learned as a police officer is that trauma comes from lack of control. A great
way to have a traumatic consulting experience is to have minimal technical
skills and to land in a job where you’re traveling nearly constantly doing low-skilled
grunt work.The best way to have a
rewarding consulting experience is to have in-demand job skills (and a security
clearance is worth crazy bonus points in this space) where you are being used
for high-end work that your employer can charge near-confiscatory prices to
customers.

Which gets us to life in the corporate world.In the consulting world, you’re generally
going to be direct spend which means the money an organization puts into you is
directly involved with the service that is being provided to a customer.In the corporate world, you’re indirect
spend.You’re a necessary evil when the
money that is spent on you doesn’t involve making or selling a product or
service to a customer.That’s the bad
news.The good news is that because we’re
in this golden age of cyber security, corporations are just fine (for now) with
this sort of indirect spending. I spent most of my career building and leading
high-performance digital forensics and incident response teams for a couple
Fortune 100 enterprises.Landing on one
of these teams can be a very rewarding experience as long as you do your
homework and find a team and organization that is a good fit for your skills
and temperament.

Corporate digital forensics jobs can take several different forms
but the primary tasks that you’ll see in the corporate world are also the same
that are being offered up in the consulting world such as eDiscovery, threat
intelligence, incident response, security operations, digital forensics,
malware analysis, and the like.That
which is necessary in the cyber security world is either going to be brought in
internally (which creates corporate positions) or purchased externally (which
creates consulting positions) or a combination of both.

Life in the corporate world will be more predictable that in the
consulting world since corporate jobs tend to be more of a normal business
offer hour situation with nights and weekends as necessary when things get
busy.There are some exceptions such as
corporations that have 24/7 security operations centers that require shift
work.I don’t see too many people from
the law enforcement world doing security operations shiftwork, but that isn’t
to say that it can’t happen and those security operations roles can be very
rewarding and educational. I’ve seen
many people start in security operation centers and used that time to build a
skillset that led to very rewarding career paths.

I think one of the biggest shocks for law enforcement people going
into the private sector is the concept that you are now a salaried employee and
there is rarely such a thing as overtime or compensation time.You’re expected to get your work done and
that frequently involves working over 40 hours a week to do that.You are also now competing with other people
in your organization.Remember what I
said earlier about gaining power in an organization.Having a reputation as someone who just does
the minimum is a great way to undermine your corporate career even if you are a
highly skilled person.A good attitude
and a strong work ethic will go a long way in the private world.

There is also another aspect of the private sector which is going
out on your own and starting up your own business.Frankly, this is one of the areas where I
have the least amount of experience with and I think the best way to handle
this will be for me to just pester someone to do an interview here on the
blog.If you have any suggestions on who
you might want to see interviewed, let me know.

I’m at about 3,000 words on this blog post and I think I’ve
covered a decent overview of life on the private side. I’ll still continue to
address some specifics as the series progresses especially in the next blog
post where I talk about what you should be doing as a law enforcement officer
to prepare for life on the private side.

If you're looking for a resource that might be able to offer advice on starting your own business, I’d suggest contacting Paul Asadoorian, CEO of Security Weekly. I listen to several of his podcasts. One in particular, Startup Security Weekly, serves as a tremendous resource for enterprising entrepreneurs. Thanks again for the insightful advice.